b"INFORMATION SECURITY PROGRAM\n     Department of Transportation\n\n     Report Number: FI\xe2\x80\x932007\xe2\x80\x93002\n     Date Issued: October 23, 2006\n\x0c           U.S. Department of\n                                                  Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Audit of Information Security                     Date:    October 23, 2006\n           Program, Department of Transportation\n           Report Number: FI-2007-002\n\n  From:    Todd J. Zinser                                         Reply to\n                                                                  Attn. of:   JA-20\n           Acting Inspector General\n\n    To:    Chief Information Officer\n\n           This report presents the results of our annual audit of the information security\n           program at the Department of Transportation (DOT). In accordance with the\n           Federal Information Security Management Act of 2002 (FISMA), our objective\n           was to determine the effectiveness of DOT\xe2\x80\x99s information security program by\n           measuring progress made in (1) securing information systems and protecting\n           sensitive agency data, (2) strengthening air traffic control system security as part\n           of the nation\xe2\x80\x99s critical infrastructure, and (3) enhancing the departmental\n           Investment Review Board\xe2\x80\x99s (IRB) ability to identify performance gaps in major\n           information technology (IT) investments. We are also contributing to DOT\xe2\x80\x99s\n           annual FISMA report by answering questions specified by the Office of\n           Management and Budget (OMB). Our contribution to the annual DOT FISMA\n           report is included as Exhibit A.\n\n           Similar to last year, in carrying out these objectives, we tested a representative\n           subset of DOT systems, including contractor-operated or -maintained systems that\n           had undergone systems security certification reviews, in order to determine\n           whether DOT had complied with Government standards for (1) assessing system\n           risks, (2) identifying security requirements, (3) testing security controls, and\n           (4) accrediting systems as able to support business operations. We also performed\n           a detailed follow-up review of the Department\xe2\x80\x99s process for managing remediation\n           of known security deficiencies.\n\n           This performance audit was conducted in accordance with Generally Accepted\n           Government Auditing Standards prescribed by the Comptroller General of the\n           United States and included such tests as we considered necessary to detect fraud,\n           waste, or abuse. Details of our scope and methodology are described in Exhibit B.\n\x0c                                                                                   2\n\nINTRODUCTION\nFISMA requires Federal agencies to identify and provide security protection\ncommensurate with the risk and magnitude of harm resulting from the loss of,\nmisuse of, unauthorized access to, or modification of information collected or\nmaintained by or on behalf of an agency. DOT maintains one of the largest\nportfolios of IT systems among Federal civilian agencies; it is therefore essential\nthat the Department protect these systems, along with their sensitive data. In fiscal\nyear (FY) 2006, DOT\xe2\x80\x99s IT budget totaled about $2.5 billion. During FY 2006,\nDOT experienced leadership changes at both departmental and Federal Aviation\nAdministration (FAA) Chief Information Officer (CIO) offices.\n\nThe Department has 12 Operating Administrations (OA). All OAs except FAA\nand the Surface Transportation Board (STB) are scheduled to relocate to a new\nHeadquarters building next year. To support this move, the Department\nconsolidated individual OAs\xe2\x80\x99 IT infrastructures (e-mail, desktop computing, and\nlocal area networks) into a common IT operating environment. This consolidated\nIT infrastructure presents opportunities to enhance the Department\xe2\x80\x99s information\nsecurity, along with challenges that include installing, testing, and accrediting the\nnew common IT operating environment; installing more than 75 OA application\nsystems on the new IT infrastructure; and recertifying the security of these systems\nto support business operations in the new Headquarters building\xe2\x80\x94all on a very\ntight and still evolving schedule.\n\nFor FY 2006, the Department reported a total of 426 computer systems, about\n6 percent fewer than last year as a result of its continuing effort to consolidate\nsystems. Among the systems the Department maintains and operates is the air\ntraffic control system, which the President has designated a national critical\ninfrastructure. Other systems owned by the Department include safety-sensitive\nsurface transportation systems and financial systems that disburse over $50 billion\nin Federal funds each year. Systems inventory counts for FY 2005 and FY 2006\nfor each OA are detailed in Exhibit C.\n\n\nRESULTS IN BRIEF\nDuring FY 2006, the Department made noticeable improvement in tracking,\nprioritizing, and correcting security weaknesses\xe2\x80\x94a major concern identified last\nyear. The Department also took aggressive action to identify systems containing\npersonally identifiable information (PII) for proper security protection, including\nprocuring encryption software to secure all laptop computers. In addition, the\ndepartmental IRB provided oversight to a multibillion-dollar IT investment project\nmanaged by FAA.\n\x0c                                                                                   3\n\nFY 2007 will be a particularly challenging year for the Department in managing\nits IT security and investments. It has to recertify more than half of all its\ninformation systems, upgrade systems security to meet new Government\nstandards, relocate its Headquarters (including more than 75 information systems),\nand take aggressive action to strengthen air traffic control systems security\nprotection. In addition, the Department needs to develop a better methodology to\nvalidate the security configurations of commercial software products installed in\nDOT systems and continue enhancing oversight of IT investments. Specifically:\n\n\xe2\x80\xa2 Air Traffic Control. Securing the nation\xe2\x80\x99s critical air traffic control systems\n  infrastructure should be a top priority of DOT\xe2\x80\x99s information security program.\n  However, FAA has not made adequate progress in implementing planned\n  corrective actions. In FY 2004, FAA committed to developing contingency\n  planning for restoring essential air services in case of prolonged service\n  disruption and completing reviews of operational air traffic control systems\n  security over a period of 3 years. Last year, we reported that FAA\xe2\x80\x99s overall\n  progress was insufficient because it did not start to initiate corrective action in\n  earnest until April 2005. During FY 2006, FAA made limited progress in\n  these areas due, according to FAA management, to funding constraints. We\n  recognize that FAA faces critical decisions in balancing its priorities and using\n  its funds at a time of increasingly tight budgets. Yet issues concerning the\n  security of a critical national infrastructure should receive priority and\n  immediate attention. The FAA Deputy Administrator, the head of the Air\n  Traffic Organization, and the FAA CIO committed to developing detailed\n  work plans, allocating required resources, and implementing corrective actions.\n  During FY 2007, we plan to initiate an audit of FAA\xe2\x80\x99s progress in reviewing\n  operational systems security and contingency planning in accordance with the\n  approved plans.\n\n\xe2\x80\xa2 Security Recertification. About 230 systems\xe2\x80\x94more than half of the\n  Department\xe2\x80\x99s total inventory\xe2\x80\x94are due for security recertification during\n  FY 2007. On top of that, these systems must meet new minimum Government\n  security standards before they can be recertified, which will require security\n  upgrades in some cases. Meeting these new standards also requires policy\n  guidance and awareness training. For example, system owners did not\n  properly follow National Institute of Standards and Technology (NIST)\n  guidance in assigning risk categories for 6 of 14 systems sampled this year. If\n  not corrected, the erroneous (lower) risk rating could result in inadequate\n  security protection for these systems. Further, critical infrastructure systems\n  used to direct air traffic control and track shipments of hazardous materials\n  were reported as having a moderate risk impact, which is inconsistent with\n  OMB direction. The departmental CIO informed us that he plans to issue new\n  policy guidance on risk categorization in FY 2007 to ensure more consistent\n\x0c                                                                                  4\n\n   risk-impact analyses. Therefore, in our submission to OMB this year, we\n   decided not to report how many high, moderate, or low risk-impact systems the\n   Department had.\n\n\xe2\x80\xa2 IT Infrastructure Consolidation. In FY 2007, the Department has to\n  implement a consolidated IT infrastructure to support all OAs relocated to the\n  new Headquarters building. While this consolidated IT infrastructure presents\n  a good opportunity to consolidate IT operations and eliminate fragmentation, it\n  will require a higher level of security protection because the potential impact of\n  disruption will be greater\xe2\x80\x94i.e., on multiple OAs, not just one. However, the\n  plan and schedule to implement and test this new infrastructure are still\n  evolving, due to a variety of move-related problems. As part of this IT\n  consolidation, the Department should also identify a systems backup/recovery\n  site at a sufficient geographic distance from the new Headquarters and conduct\n  systems contingency testing after completing the Headquarters move. Further,\n  the CIO needs to direct OAs not to make additional investments to equip their\n  individual system backup/recovery sites until decisions have been made for the\n  consolidated recovery site. As we previously reported, some OA recovery\n  sites are within a short distance from Headquarters\xe2\x80\x9410, 15, or 25 miles. In\n  case of an emergency, OAs would be likely to lose both the primary and\n  backup computers used to support their missions. Such sites should be\n  replaced by the consolidated backup/recovery site.\n\n\xe2\x80\xa2 Network Security. In the past several years, the Department has done a\n  commendable job in enhancing its network security against both internal and\n  external attacks based on known vulnerabilities in commercial off-the-shelf\n  software, such as the Windows operating system and Oracle database system.\n  To further reduce this risk, all agencies are now required to configure these\n  commercial systems in accordance with NIST or agency standards. During FY\n  2006, 9 of 12 OAs submitted documentation to the CIO office to support their\n  compliance with standards. However, the submissions were incomplete and\n  inconclusive. As a result, the Department cannot determine whether\n  commercial software is properly configured to help prevent attacks on DOT\n  systems. The CIO needs to develop a better method of evaluating OAs\xe2\x80\x99\n  compliance with security configuration standards.\n\n\xe2\x80\xa2 IT Investment Management. In FY 2005, we recommended that the\n  Department clarify the IRB\xe2\x80\x99s authority and increase the Board\xe2\x80\x99s capability to\n  research potential project cost, schedule, and performance shortfalls on\n  complicated IT investments. Subsequently, the Department confirmed that the\n  Board, through advising the Secretary, can influence budget decisions on all IT\n  investments. During FY 2006, using this authority, the Board enhanced project\n  management of a multibillion-dollar investment project called the FAA\n\x0c                                                                                  5\n\n   Telecommunications Infrastructure.      In terms of identifying problems\n   associated with major IT investments, the Department plans to delegate more\n   responsibilities to individual OA review boards to oversee their specific IT\n   investments. While we support the idea of holding each OA accountable for its\n   own projects, this will not be possible until clear performance measures are\n   established, such as Earned Value Management (EVM) measures. However,\n   we found 70 percent of DOT\xe2\x80\x99s major IT investment projects met fewer than\n   half of OMB\xe2\x80\x99s criteria for EVM implementation.\n\nWe are making a series of recommendations, starting on page 15, to help the\nDepartment strengthen its information security program, the security protection of\nthe critical air traffic control systems infrastructure, and oversight of its\nmultibillion-dollar annual IT investments. The departmental CIO agreed with our\nfindings and recommendations. We have requested that DOT provide written\ncomments describing the specific actions it will take to implement these\nrecommendations.\n\n\nFINDINGS\n\nProtecting the Nation\xe2\x80\x99s Critical Infrastructure: FAA Needs To Make\nGreater Progress in Reviewing Operational Systems and in\nContingency Planning\nThe President has designated air traffic control systems a critical national\ninfrastructure due to the important role commercial aviation plays in fostering and\nsustaining the national economy and ensuring citizens\xe2\x80\x99 safety and mobility. In\nFY 2004, based on audit findings, FAA made a strong commitment to enhancing\nthe security protection of air traffic control systems. One of its promises was to\ncomplete security reviews of all operational air traffic control systems\xe2\x80\x94at\nen route, approach control, and airport terminal facilities\xe2\x80\x94between FY 2005 and\nFY 2007. This is critical to protecting air traffic control systems because security\nvulnerabilities could inadvertently be created when changes are made to the\n\xe2\x80\x9cbaseline\xe2\x80\x9d systems to meet local operational needs.\n\nFAA made little progress in reviewing operational air traffic control systems\nsecurity until after April 2005, when the Inspector General sent a letter to the FAA\nAdministrator expressing concern over the slow pace of the corrective action. By\nthe end of FY 2005, FAA had conducted initial reviews at all en route facilities,\nrepresenting a clear step in the right direction. However, FAA did not follow\nthrough with this effort during FY 2006 because of, according to FAA officials, a\nfunding shortage.\n\x0c                                                                                    6\n\nIn October of this year, the FAA CIO and the head of the Air Traffic Organization\ncommitted to developing a plan by the end of December 2006 detailing the\napproach FAA will take during FY 2007 to evaluate security differences between\nsystems used to direct air traffic at terminal and tower facilities and the \xe2\x80\x9cbaseline\xe2\x80\x9d\nsystems previously tested in its computer laboratory. If this process is\nimplemented effectively, it will significantly strengthen security protection of air\ntraffic control systems.\n\nAnother FAA promise was to develop a contingency plan to restore essential air\nservices in case of prolonged service disruptions at en route centers. FAA\xe2\x80\x99s\nexisting business continuity plan has worked well in the past to ensure flight safety\nwhen dealing with temporary, less severe disruptions. In FY 2005, we reported\nthat FAA had identified a contingency strategy to deal with prolonged service\ndisruptions but was years away from its implementation. In October 2006, the\nFAA Deputy Administrator informed us that FAA had identified an interim\nsolution based on the results of an engineering study. The Deputy Administrator\nalso made a strong commitment to fund this interim solution with existing FAA\nresources.\n\nWe recognize that FAA faces critical decisions in balancing its priorities and using\nits funds at a time of increasingly tight budgets. Yet issues concerning the security\nof a critical national infrastructure should receive attention and support from OMB\nand Congress. We plan to initiate an audit of FAA\xe2\x80\x99s progress in reviewing\noperational systems security and implementing the interim solution for\ncontingency planning in accordance with the approved plans.\n\n\nSystems Security: The Department Faces a Unique Challenge in\nRecertifying More Than Half of Its Systems\xe2\x80\x99 Security in Fiscal Year\n2007, While Meeting a New Government Security Standard\nIn FY 2004, the Department made significant strides in reviewing and testing\ninformation systems security and successfully increased the systems certification\nand accreditation rate from 33 percent to over 90 percent. The certification and\naccreditation process is a statutory requirement to ensure that information systems\nare adequately secured to support agency missions and must be conducted every 3\nyears or upon major system change. The reviews conducted in 2004 are due for\nrecertification in 2007, as will be the systems moving to the new Headquarters\nbuilding\xe2\x80\x94as moving constitutes a significant change. Prior to the move, the CIO\ndecided to delay recertifying systems that were moving to the new building and\nwere due to be recertified within 180 days of their scheduled move date. The CIO\nalso extended the system certification statements for an additional 120 days after\nthe systems move. Given the move, DOT will be faced with the need to recertify\n\x0c                                                                                   7\n\nsome 230 systems during FY 2007\xe2\x80\x94almost double the number that DOT would\nlike to review on a yearly basis (see Table 1).\n\n\n        Table 1. Number of DOT Systems Due For Security\n             Recertification as of September 28, 2006\n                                Systems to be recertified in:         Total\n                OA*            FY 2007   FY 2008      FY 2009      systems\n                FAA                 106        79             78       263\n                FHWA                 23         0              0        23\n                FMCSA                11         4              7        22\n                FRA                   9         0             13        22\n                FTA                   5         0              1         6\n                MARAD                12         0              0        12\n                NHTSA                14         2              2        18\n                OST                  38         1              4        43\n                PHMSA                 3         1              1         5\n                RITA                  8         0              1         9\n                SLSDC                 0         0              1         1\n                STB                   1         0              1         2\n                   Total              230           87      109        426\n              *See Exhibit C for a list of OA acronyms.\n\nSystems Security Needs To Be Upgraded To Meet Minimum\nStandards\nIn addition to the number of systems that require recertification, another\ncomplication is that the recertifications will have to be conducted to a higher\nstandard. FISMA required NIST to develop minimum security standards for\nFederal agencies\xe2\x80\x99 systems. These new standards become effective in March 2007\nand will most likely require security upgrades in the Department\xe2\x80\x99s systems. In an\nattempt to estimate the gap between existing security controls and the minimum\nsecurity requirements, we performed a preliminary assessment on a safety-\nsensitive system that had undergone the security certification review in previous\nyears. It met only about two-thirds of the minimum security standards in one\ncritical area. Although this gap is not a reflection of improper certification\nreviews in the past, it needs to be addressed before the system is recertified in the\nfuture.\n\nAnother area that can have a significant impact on the quality of the review is\ndetermining the correct risk categorization of a system. This categorization is the\nfirst step in determining what minimum security controls will be required for a\nsystem. Six of 14 systems sampled this year were incorrectly categorized with a\nlower-than-warranted risk-impact level. In addition, critical infrastructure systems\n\x0c                                                                                                                           8\n\nused to direct air traffic control and track shipments of hazardous materials are\nreported as having a moderate risk-impact, which is inconsistent with OMB\ndirection.\n\nWe also reviewed systems containing PII. These systems contain individuals\xe2\x80\x99\nnames and unique identifiers, such as social security numbers. DOT has made\nprogress by identifying PII systems, but has no assurance that they are adequately\nsecured, because the correct impact level was not identified. Our review of the\nrisk impact levels of the 100 DOT PII systems uncovered varying levels of\nconfidentiality: 9 high, 63 moderate, 18 low, and 10 lacking a rating. Further\nevaluation of the 18 PII systems with a low confidentiality risk rating identified 11\nwith a low overall risk rating. 1 This is contrary to DOT policy, which states that\nany system containing PII must by definition have an overall risk level rating of at\nleast moderate.\n\nTo meet all of these challenges, the OAs will need to submit system recertification\nwork schedules for approval, identify security upgrade needs and funding sources,\nand report progress against approved schedules throughout the year. Continual\noversight by the departmental CIO will be needed to ensure that the schedules\naddress the funding sources and upgrades needed for the recertifications, to\nmeasure OAs\xe2\x80\x99 progress against their plans, and to provide policy guidance where\nnecessary throughout the year.\n\n\nResponsibility for Securing Safety Systems Used Nationwide Needs\nTo Be Clarified\nWe also found that the Commercial Driver\xe2\x80\x99s License Information System (CDLIS)\nis not included in the departmental systems inventory\xe2\x80\x94and therefore did not\nreceive a system security review. CDLIS is used by the Federal Motor Carrier\nSafety Administration (FMCSA) and state agencies to manage information on\ndrivers holding commercial driver\xe2\x80\x99s licenses. Contained in the system are an\nindividual\xe2\x80\x99s name, address, social security number, date of birth, and race. The\nsystem works as a pointer system, 2 similar to the National Driver Register\n(NDR)\xe2\x80\x94another safety-critical system, which we reviewed last year. The\nDepartment has a legal responsibility to protect the information in both of these\nsystems, yet is inconsistent in its approach to them. For example, NDR has had a\nsystem security review in the past few years, while CDLIS has not. The\n\n\n1\n    Systems are rated for confidentiality, integrity, and availability and are also given an overall rating, which is equal to\n    the highest rating given for any of those three components.\n2\n    A pointer system is one that provides abbreviated information while identifying the location of a more complete\n    record. In the case of NDR, limited information is available on individuals whose privilege to drive has been\n    revoked, suspended, canceled, or denied or who have been convicted of a serious traffic-related offense. The system\n    also identifies the state in which a more complete record can be accessed.\n\x0c                                                                                                                  9\n\nDepartment thus lacks assurance that CDLIS is operating at a level of security\ncommensurate with its risks.\n\nWhen we attempted to determine the cause for its exclusion from the\nDepartment\xe2\x80\x99s inventory, the reason provided by FMCSA was that CDLIS is only a\ngrants program, meaning that the organization receiving the grant would be\nresponsible for the system. In our opinion, however, CDLIS remains a DOT\nsystem. FMCSA officials have asked their counsel for an opinion on the matter\nand will not commit to conducting a security review until the legal opinion is\nreceived. In the interim, however, FMCSA has initiated action to meet with the\ncontractor, review the security in place, and determine if it is effective and\nadequate. Following this meeting and security review, FMCSA will plan a course\nof action to remediate any gaps found in CDLIS security.\n\n\nHeadquarters Move: The Department Needs To Thoroughly Test Its\nConsolidated IT Infrastructure for Adequate Security Before Moving\nCritical Systems to Its New Headquarters\nTraditionally, each OA has managed its own IT infrastructure (desktop computers,\nlocal area networks, and e-mail) in the departmental Headquarters. These\nduplicative IT operations were expensive to maintain and had inconsistent security\nprotections\xe2\x80\x94both physical and logical. 3 Since they were interconnected, security\nweaknesses in one OA\xe2\x80\x99s infrastructure could endanger others: in other words,\nthey are only as strong as the weakest link.\n\nAs part of the move to the new Headquarters, the Department seized the\nopportunity to consolidate these IT infrastructure operations into one. Because the\nconsolidated IT infrastructure will support all OAs\xe2\x80\x99 operations, it will require a\nhigher level of security protection than is presently the case and will therefore also\nneed thorough testing. While this consolidated infrastructure can help strengthen\ndepartmentwide security protection and make IT operations more efficient, the\ncurrent schedule and plan for implementation and testing are still evolving, due to\na variety of move-related problems. If not properly secured, this consolidated\ninfrastructure could result in much greater harm to the integrity of departmental\nsystem operations than would be the case if only one OA were affected. The\nDepartment must thoroughly test this new IT infrastructure before installing OA\nmission-critical systems in this new infrastructure.\n\n\n\n\n3\n    Logical security consists of software safeguards for an organization\xe2\x80\x99s systems, including user identification and\n    password access, authentication, access rights, and authority levels. These measures are to ensure that only\n    authorized users are able to perform actions or access information in a network or a workstation.\n\x0c                                                                                10\n\nFragmented Systems Backup and Recovery Sites Need To Be\nEliminated\nAs part of this IT consolidation, the Department should also identify a systems\nbackup/recovery site at a sufficient geographic distance from the new\nHeadquarters and conduct systems contingency testing after completing the\nHeadquarters move. Further, the CIO needs to direct OAs not to make additional\ninvestments to equip their individual system backup/recovery sites until decisions\nhave been made for the consolidated recovery site.\n\nOAs have been responsible for establishing their individual backup/recovery sites\nbecause they had separate IT infrastructures. In FY 2003, we reported inadequate\ncontingency planning and testing at OA recovery sites. In addition, we stated that\nto reduce the probability of losing both primary and backup sites to the same\ndisaster, the Department needed to develop guidance on the minimum allowable\ngeographic distance between a system\xe2\x80\x99s primary and recovery processing sites.\nSome OAs\xe2\x80\x99 recovery sites are within 10, 15, or 25 miles of primary sites. In case\nof an emergency, those OAs would likely lose both the primary and backup\ncomputers for their mission-critical systems, such as safety inspection and grants\nmanagement systems, since natural disasters often cover areas as large as 25 miles\nor more. Such sites should be replaced by the consolidated backup/recovery site.\n\nIn FY 2005 we reported that over 50 percent of the systems in the sample lacked\ncontingency plans and over 80 percent of the plans were not tested and continued\nto have recovery site locations that were too close. This year, 9 of the 14 systems\ndid not have contingency plans; in addition, 11 of the 14 systems did not provide\ndocumented evidence that a contingency plan had been tested, and the problem\nwith recovery site proximity continues. Overall, about 60 percent lacked\ncontingency plans and about 75 percent lacked plan testing within the previous\nyear, as required by OMB. The Department needs to enhance systems\ncontingency planning through this IT consolidation effort.\n\n\nNetwork Security: The Department Needs To Ensure That Operating\nAdministrations\xe2\x80\x99 Systems Are Configured According to Security\nStandards\nTo meet FISMA requirements for a minimally acceptable system configuration,\nDOT published additional baseline configuration standards for various commercial\noff-the-self software products in FY 2006. The issuance of these additional\nguidelines has provided DOT with greater capability to configure all of its\nsoftware products based on standardized security benchmarks. Yet obtaining the\ndata with which to ensure compliance with these standards has proved elusive.\n\x0c                                                                                   11\n\nDuring FY 2006, as an initial effort, DOT identified 117 systems from its\ninventory of 426 to be tested for compliance with its baseline configuration\nstandards. Accordingly, in April 2006, the Department issued a policy requiring\nthese systems to be completely checked and validated by OAs. In August 2006,\nthe departmental CIO reminded all OAs\xe2\x80\x99 CIOs to complete their compliance\nchecks and report the testing results by early September 2006. Only 9 of the\n12 OAs responded to the Department\xe2\x80\x99s request for information regarding their\nimplementation of DOT configuration standards, and they were responsible for\nonly 36 of the 117 systems (see Table 2).\n\nTable 2. Operating Administrations\xe2\x80\x99 Responses to CIO Request\n      for Information on Implementation of DOT Security\n                    Configuration Standards\n\n                                                   Number of systems\n                                                 OAs are responsible\n   Operating Administration (OA)*             for (compliance review)   Subtotal\n    OA Did Not Respond          FAA                               77\n                                MARAD                              3\n                                SLSDC                              1\n                                                                             81\n    OA Responded                FHWA                               6\n                                FMCSA                              2\n                                FRA                                3\n                                FTA                                3\n                                NHTSA                             12\n                                OST                                3\n                                PHMSA                              3\n                                RITA                               2\n                                STB                                2\n                                                                             36\n       Total for all OAs                                                    117\n  *See Exhibit C for a list of OA acronyms.\n\nIn addition, the OAs\xe2\x80\x99 responses presented a big challenge for the CIO to\neffectively validate the actual implementation of DOT\xe2\x80\x99s configuration standards.\nSpecifically, the OAs\xe2\x80\x99 responses\n\n\xe2\x80\xa2 came in a variety of formats, including spreadsheets, vulnerability scanning\n  results, automatically generated scoring reports, and manual checklists;\n\xe2\x80\xa2 did not include the evidence requested, such as computer screen shots showing\n  actual settings on a tested system; and\n\x0c                                                                                12\n\n\xe2\x80\xa2 contained data on systems that were not selected for the compliance review.\n\nAs a result, the CIO was not able to effectively determine how many of the\n117 systems selected for compliance review were actually tested and to what\nextent they were in compliance with DOT baseline configuration standards. This\nhappened because DOT has not established a consistent method or set of criteria to\nbe used when validating the actual configuration implementation of its systems.\nWe closely worked with the CIO\xe2\x80\x99s office to determine the percentage of DOT\nsystems meeting security configuration standards based on these submissions for\nthis year\xe2\x80\x99s OMB reporting.\n\nOur contractors also identified deficiencies in the commercial software products\nused in DOT financial systems, such as vulnerabilities on the computer servers.\nThose servers were running Windows operating systems and did not meet DOT\xe2\x80\x99s\nWindows security baseline configuration standards.\n\nThe Department needs to enforce its configuration standards. Specifically, DOT\nneeds to establish a consistent method to be used when validating the actual\nconfiguration implementation of its systems.\n\n\nManagement Controls: The Department Needs To Work With\nOperating Administrations To Strengthen Oversight of IT Investments\nand Streamline Duplicative IT Systems\nLast year, we expressed concern over the departmental IRB\xe2\x80\x99s ability to provide\nvalue-added services when reviewing FAA\xe2\x80\x99s major IT investment projects. As a\nresult, we recommended that the Department clarify the Board\xe2\x80\x99s authority and\nincrease the Board\xe2\x80\x99s capability to research potential project cost, schedule, and\nperformance shortfalls on complex IT investments. Subsequently, the Department\nconfirmed that the Board, through advising the Secretary, can influence budget\ndecisions on all IT investments. During FY 2006, using this authority, the Board\nenhanced project management of a multibillion-dollar investment project called\nFAA Telecommunications Infrastructure.\n\nIn terms of identifying problems associated with major IT investments, the\nDepartment plans to delegate more responsibilities to individual OA review boards\nto oversee their specific IT investments. While we support the idea of holding\nOAs more accountable for their own projects, this will not be possible until the\ndepartmental IRB establishes clear performance measures, such as earned value\nmanagement measures for IT investments (see following section). Currently, 13\ndepartmental IT investment projects are included in OMB\xe2\x80\x99s high-risk list, which\naccount for about $24 billion in life-cycle costs. Twelve of these high-risk\nprojects are related to air traffic control modernization, which has been on the\n\x0c                                                                                                     13\n\nGovernment Accountability Office\xe2\x80\x99s high-risk list for more than 10 years. The\ndepartmental IRB needs to work with OA review boards to continue exercising\nknowledgeable oversight of these major IT investments.\n\n\nEarned Value Management System Needs To Be Utilized To Better\nMonitor IT Investments\nAs a fundamental requirement of acquisition or modification of major systems, the\nearned value management system offers management important insights into\nprogress. Full implementation of the EVM system on IT programs would ensure\nthat management receives information providing accurate cost and schedule\nperformance data essential for planning and making effective IT business\ndecisions. In addition, recognizing the importance of EVMS, OMB issued a\nmemorandum last year, which listed 32 criteria that agencies should meet when\nimplementing EVMS to monitor their major IT investments. 4\n\nHowever, an effective EVMS practice has not yet been implemented at DOT. For\nexample:\n\n\xe2\x80\xa2 Seventy-one percent (15 out of 21) of major FAA IT investments met fewer\n  than half of the OMB criteria.\n\n\xe2\x80\xa2 Seventy percent (7 out of 10) of other major DOT IT investments met fewer\n  than half of the OMB criteria.\n\nAccording to the CIO, during FY 2006 his office was not able to develop a plan\nfor improvement, given the loss of key personnel and the fact that they have not\nbeen able to identify qualified staff with extensive EVM knowledge. As a result,\nthe EVM data generated and reported to the CIO by the OAs do not go through an\nassessment of integrity or accuracy. However, these EVM data are still provided\nto DOT management, which uses this information to better understand the\nprogress on approved IT investments and to make investment decisions. In\naddition, the CIO continues to use these EVM data for mandatory reporting to\nOMB.        OMB placed seven major DOT investments\xe2\x80\x94FAA (6) and\nDepartmentwide (1)\xe2\x80\x94on the high-risk list because of the questionable EVM data\nreported. These projects account for about $720 million in DOT\xe2\x80\x99s FY 2006 IT\nbudget, and $16 billion in life-cycle cost estimates. Enhancing the use of EVMS\nto monitor major IT investment projects requires committed management\nattention.\n\n\n\n\n4\n    Improving Information Technology (IT) Project Planning and Execution, M-05-23, August 4, 2005.\n\x0c                                                                                    14\n\nEfforts To Streamline Duplicative Systems for Cost Savings Need To\nContinue\nAnother area requiring senior management attention is continuing to streamline\nduplicative common systems for cost savings. In FY 2003, the Department\nidentified opportunities to consolidate duplicative systems used in 11 common\nbusiness areas across OAs, such as office IT infrastructure, financial management,\ngrants management, and training. During FY 2006, the Department completed its\nconsolidation of recruitment systems and will complete consolidation of IT\ninfrastructures at the new Headquarters in FY 2007. Progress has also been made\nin eliminating duplicative financial systems and teaming with the Department of\nHousing and Urban Development to streamline grants management systems. The\nDepartment needs to continue to actively pursue streamlining these duplicative\nsystems to realize the cost savings that consolidation can offer (see Table 3).\n\n\n                   Table 3. Status of Enterprise Initiatives\n                          as of September 15, 2006\n\n                                                                 Amount of life-\n                                                     Number of     cycle budget\n                                                       current    (in millions of\n      Initiative                                      systems            dollars)\n      Financial Management/Travel Systems                   26              $725\n      Grants Management                                      5                  8\n      Recruitment                                            2                26\n      Internal Rulemaking Tracking                           3                  1\n      Procurement Management                                 9                26\n      Enterprise Document Management                       N/A                45\n      Training                                              16                50\n      ACE/ITDS (Automated Commercial\n      Environment/International Trade Data System)        N/A                  2\n      Intermodal Hazmat Data Sharing                      N/A                 14\n      Enterprise Architecture                              11                 39\n      IT Consolidation                                     61              1,309\n         Total                                                            $2,245\n     N/A: information not available.\n\x0c                                                                                15\n\n\n\nRECOMMENDATIONS\nIn order to strengthen the Department\xe2\x80\x99s information security program, we\nrecommend that the Department\xe2\x80\x99s Chief Information Officer:\n\nEnhance critical infrastructure protection by:\n\n    1. Evaluating the adequacy of the corrective action plans submitted by FAA\n       for reviewing operational air traffic control system security and developing\n       contingency plans for prolonged service disruptions, to ensure\n       accountability.\n\n    2. Conducting quarterly assessment review meetings with FAA to measure\n       progress made against the approved plans.\n\nEnhance computer systems security reviews by:\n\n    3. Ensuring that recertifications of DOT information systems are prioritized\n       and needed security upgrades identified. OAs must report progress\n       measured against a pre-approved schedule throughout the year, including\n       but not limited to budget and staffing levels for FY 2007.\n\n    4. Developing, implementing, and enforcing a policy clarifying to OAs how\n       to correctly determine overall systems risk-impact levels.\n\n    5. Issuing a memorandum of understanding delineating systems security roles\n       and responsibilities for national databases such as CDLIS and NDR, to\n       ensure that they are correctly assessed for risk and appropriately secured.\n\nEnhance the security protection associated with the Headquarters move by:\n\n    6. Testing the new building\xe2\x80\x99s infrastructure before installing OAs\xe2\x80\x99 mission-\n       critical systems on the infrastructure.\n\n    7. Establishing system backup and recovery sites for the consolidated IT\n       infrastructure and all applications systems operating on it, committing to a\n       specific date for conducting systems recovery testing after completing the\n       Headquarters move, and directing OAs to eliminate their individual system\n       backup/recovery sites.\n\nEnhance systems contingency planning and testing by:\n\n    8. Developing and testing contingency plans for information systems that\n       lack such plans.\n\x0c                                                                                 16\n\nEnhance DOT network security by:\n\n    9. Developing a standard methodology to collect information from OAs to\n       validate that commercial software products used in their information\n       systems are configured in accordance with security standards.\n\n   10. Conducting a validation review and following up with OAs on a quarterly\n       basis throughout the year.\n\nEnhance IT investment management controls by:\n\n    11. (a) Working with OAs to develop performance measures on their IT\n       investment projects to ensure effective oversight by OAs\xe2\x80\x99 investment\n       review boards.\n\n       (b) Requiring OAs to report the review results to the departmental IRB.\n\n    12. (a) Working with FAA to ensure proper implementation of earned value\n        management to oversee all high-risk projects.\n\n       (b) Working with other OAs to measure their implementation of earned\n       value management based on OMB criteria.\n\n    13. Developing a plan to continue streamlining duplicative common systems\n        in identified areas after completing the Headquarters move.\n\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\nThe CIO Office reviewed a draft of this report and provided oral comments. CIO\nofficials concurred with the report\xe2\x80\x99s findings and recommendations and stated that\nthey will provide written comments describing the specific actions they will take\nto implement the recommendations.\n\n\nACTIONS REQUIRED\nIn accordance with DOT Order 8000.1C, we would appreciate receiving your\nwritten comments on this report within 30 calendar days. Please indicate the\nspecific actions taken or planned for each recommendation and a target date for\ncompletion. You may provide alternative courses of action that you believe would\nresolve the issues presented in this report.\n\x0c                                                                              17\n\nWe appreciate the courtesies and cooperation of the Office of the CIO and the\nOAs\xe2\x80\x99 representatives during this audit. If you have any questions concerning this\nreport, please call me at (202) 366-6767; Theodore P. Alves, Acting Deputy\nInspector General, at (202) 366-1992; or Rebecca C. Leng, Assistant Inspector\nGeneral for Financial and Information Technology Audits, at (202) 366-1496.\n\n\n                                       #\n\ncc: Deputy Secretary\n    Federal Aviation Administrator\n    CIO Council members\n    Martin Gertel, M-1\n\x0c EXHIBIT A. OIG INPUT TO FISMA REPORT\n                                                               Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n                                                                                       Agency Name:\n                                                                                      Question 1 and 2\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or\nother organization on behalf of an agency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this\nevaluation for each classification below (a., b., and c.).\n\nTo meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n1) Continue to use NIST Special Publication 800-26, or,\n2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by\ncontractors does not meet the requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a\nshared responsibility for FISMA compliance.\n2. For each part of this question, identify actual performance over the past fiscal year by risk impact level and bureau, in the format provided below. From the representative subset\nof systems evaluated, identify the number of systems which have completed the following: have a current certification and accreditation , a contingency plan tested within the past\nyear, and security controls tested within the past year.\n                                                                      Question 1                                                                       Question 2\n                                              a.                          b.                            c.                        a.                         b.                      c.\n                                        Agency Systems            Contractor Systems             Total Number of          Number of systems             Number of           Number of systems\n                                                                                                     Systems                certified and           systems for which            for which\n                                                                                                                             accredited              security controls       contingency plans\n                                                                                                                                                     have been tested       have been tested in\n                                                                                                                                                     and evaluated in         accordance with\n                                                                                                                                                       the last year        policy and guidance\nBureau          FIPS 199 Risk         Total        Number          Total        Number         Total        Number        Total      Percent of      Total      Percent      Total      Percent\nName            Impact Level         Number       Reviewed        Number       Reviewed       Number       Reviewed      Number        Total        Number      of Total    Number      of Total\nFAA            High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                  252              6            11             1           263              7           7     100.0%              3     42.9%             2      28.6%\nFHWA           High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                   22              0             1             0             23             0           0        0.0%             0      0.0%             0        0.0%\nFMCSA          High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                   22              0             0             0             22             0           0        0.0%             0      0.0%             0        0.0%\nFRA            High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                   22              0             0             0             22             0           0        0.0%             0      0.0%             0        0.0%\nFTA            High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                     5             0             1             0              6             0           0        0.0%             0      0.0%             0        0.0%\nMARAD          High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                   12              0             0             0             12             0           0        0.0%             0      0.0%             0        0.0%\nNHTSA          High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                   15              0             3             0             18             0           0        0.0%             0      0.0%             0        0.0%\nOST            High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                   43              3             0             0             43             3           3     100.0%              0      0.0%             0        0.0%\nPHMSA          High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                     5             1             0             0              5             1           1     100.0%              0      0.0%             0        0.0%\nRITA           High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                     9             2             0             0              9             2           2     100.0%              0      0.0%             0        0.0%\nSLSDC          High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                     1             0             0             0              1             0           0        0.0%             0      0.0%             0        0.0%\nSTB            High                          0             0              0             0              0            0\n               Moderate                      0             0              0             0              0            0\n               Low                           0             0              0             0              0            0\n               Sub-total                    2              0             0             0             2              0           0        0.0%             0      0.0%             0        0.0%\nAgency         High                         0              0             0             0             0              0           0        0.0%             0      0.0%             0        0.0%\nTotals         Moderate                     0              0             0             0             0              0           0        0.0%             0      0.0%             0        0.0%\n               Low                          0              0             0             0             0              0           0        0.0%             0      0.0%             0        0.0%\n               Not Categorized              0              0             0             0             0              0           0        0.0%             0      0.0%             0        0.0%\n               Total                      410             12            16             1           426             13          13      100.0%             3     23.1%             2       15.4%\n\n Exhibit A. OIG INPUT TO FISMA REPORT\n\x0c                                                             Question 3\n\n      In the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n\n                    The agency performs oversight and evaluation to ensure information\n                    systems used or operated by a contractor of the agency or other\n                    organization on behalf of the agency meet the requirements of FISMA,\n                    OMB policy and NIST guidelines, national security policy, and agency\n                    policy. Self-reporting of NIST Special Publication 800-26 and/or NIST\n                    800-53 requirements by a contractor or other organization is not\n                    sufficient, however, self-reporting by another Federal agency may be       - Almost Always, for example,\n          3.a.      sufficient.                                                                  approximately 96-100% of the\n                                                                                                 time\n                    Response Categories:\n                     - Rarely, for example, approximately 0-50% of the time\n                     - Sometimes, for example, approximately 51-70% of the time\n                     - Frequently, for example, approximately 71-80% of the time\n                     - Mostly, for example, approximately 81-95% of the time\n                     - Almost Always, for example, approximately 96-100% of the time\n\n\n                    The agency has developed an inventory of major information systems\n                    (including major national security systems) operated by or under the\n                    control of such agency, including an identification of the interfaces\n                    between each such system and all other systems or networks, including\n                    those not operated by or under the control of the agency.\n         3.b.1.                                                                                - Approximately 96-100% complete\n                    Response Categories:\n                         - Approximately 0-50% complete\n                         - Approximately 51-70% complete\n                         - Approximately 71-80% complete\n                         - Approximately 81-95% complete\n                         - Approximately 96-100% complete\n\n\n                    If the Agency IG does not evaluate the Agency's inventory as 96-100%\n         3.b.2.                                                                                                  N/A\n                    complete, please list the systems that are missing from the inventory.\n\n\n                    The OIG generally agrees with the CIO on the number of agency\n          3.c.                                                                                                   Yes\n                    owned systems.\n\n\n                    The OIG generally agrees with the CIO on the number of information\n          3.d.      systems used or operated by a contractor of the agency or other                              Yes\n                    organization on behalf of the agency.\n\n\n          3.e.      The agency inventory is maintained and updated at least annually.                            Yes\n\n\n\n\n          3.f.      The agency has completed system e-authentication risk assessments.                           Yes\n\n\n\n\nExhibit A. OIG INPUT TO FISMA REPORT\n\x0c                                                                 Question 4\n\n      Through this question, and in the format provided below, assess whether the agency has developed, implemented, and is\n      managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the following\n      statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or\n      necessary, include comments in the area provided below.\n\n      For items 4a.-4.f, the response categories are as follows:\n\n            -    Rarely, for example, approximately 0-50% of the time\n            -    Sometimes, for example, approximately 51-70% of the time\n            -    Frequently, for example, approximately 71-80% of the time\n            -    Mostly, for example, approximately 81-95% of the time\n            -    Almost Always, for example, approximately 96-100% of the time\n\n\n                       The POA&M is an agency wide process, incorporating all\n                       known IT security weaknesses associated with information\n                                                                                      - Mostly, for example, approximately 81-95%\n          4.a.         systems used or operated by the agency or by a contractor\n                                                                                        of the time\n                       of the agency or other organization on behalf of the\n                       agency.\n\n\n\n                       When an IT security weakness is identified, program\n                       officials (including CIOs, if they own or operate a system)    - Mostly, for example, approximately 81-95%\n          4.b.\n                       develop, implement, and manage POA&Ms for their                  of the time\n                       system(s).\n\n\n\n                       Program officials, including contractors, report to the CIO\n                                                                                      - Almost Always, for example, approximately\n          4.c.         on a regular basis (at least quarterly) on their remediation\n                                                                                        96-100% of the time\n                       progress.\n\n\n\n                       CIO centrally tracks, maintains, and reviews POA&M             - Almost Always, for example, approximately\n          4.d.\n                       activities on at least a quarterly basis.                        96-100% of the time\n\n\n                                                                                      - Almost Always, for example, approximately\n          4.e.         OIG findings are incorporated into the POA&M process.\n                                                                                        96-100% of the time\n\n\n                       POA&M process prioritizes IT security weaknesses to help\n                                                                                      - Mostly, for example, approximately 81-95%\n          4.f.         ensure significant IT security weaknesses are addressed in\n                                                                                        of the time\n                       a timely manner and receive appropriate resources\n\n\n\n\nExhibit A. OIG INPUT TO FISMA REPORT\n\x0c                                                              Question 5\n\n      OIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of\n      the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and standards. Agencies\n      shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information\n      Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This includes use of the FIPS 199\n      (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an\n      impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans .\n\n\n\n\n                     Assess the overall quality of the Department's certification and\n                     accreditation process.\n\n                     Response Categories:\n                          - Excellent                                                           - Good\n                          - Good\n                          - Satisfactory\n                          - Poor\n                          - Failing\n\n\n\n      Comments: We found that critical infrastructure systems used to direct air traffic control and track shipments of hazardous\n      materials were reported as having a moderate risk impact which is inconsistent with OMB's suggestions and the upcoming\n      departmental policy on security categorization. Due to this concern, we decided not to report how many high, moderate, and\n      low risk-impact systems the Department has in question 1.\n\n\n\n\nExhibit A. OIG INPUT TO FISMA REPORT\n\x0c                                                            Question 6\n\n                              Is there an agency wide security\n                6.a.                                                                               Yes\n                              configuration policy?\n      Comments:\n\n                              Configuration guides are available for the products listed below. Identify which software is\n                              addressed in the agency wide security configuration policy. Indicate whether or not any agency\n                6.b.\n                              systems run the software. In addition, approximate the extent of implementation of the security\n                              configuration policy on the systems running the software.\n\n                                                                        Approximate the extent of implementation of the\n                                                                        security configuration policy on the systems running\n                                                                        the software.\n\n                                                                        Response choices include:\n                                                                        - Rarely, or, on approximately 0-50% of the systems\n                                                                          running this software\n                                 Addressed in        Do any agency      - Sometimes, or on approximately 51-70% of the\n                                 agency-wide          systems run         systems running this software\n                                   policy?           this software?     - Frequently, or on approximately 71-80% of the\n                                                                          systems running this software\n                                                                        - Mostly, or on approximately 81-95% of the systems\n                                                                          running this software\n                                                                        - Almost Always, or on approximately 96-100% of the\n               Product          Yes, No, or N/A        Yes or No.         systems running this software\n\n      Windows XP                                                        - Rarely, or, on approximately 0-50% of the systems\n                                      Yes                  Yes\n      Professional                                                        running this software\n      Windows NT                      Yes                  No\n      Windows 2000                                                      - Frequently, or on approximately 71-80% of the systems\n                                      Yes                  Yes\n      Professional                                                        running this software\n      Windows 2000                                                      - Frequently, or on approximately 71-80% of the systems\n                                      Yes                  Yes\n      Server                                                              running this software\n      Windows 2003                                                      - Rarely, or, on approximately 0-50% of the systems\n                                      Yes                  Yes\n      Server                                                              running this software\n                                                                        - Mostly, or on approximately 81-95% of the systems\n      Solaris                         Yes                  Yes\n                                                                          running this software\n                                                                        - Rarely, or, on approximately 0-50% of the systems\n      HP-UX                           Yes                  Yes\n                                                                          running this software\n                                                                        - Frequently, or on approximately 71-80% of the systems\n      Linux                           Yes                  Yes\n                                                                          running this software\n                                                                        - Mostly, or on approximately 81-95% of the systems\n      Cisco Router IOS                Yes                  Yes\n                                                                          running this software\n                                                                        - Mostly, or on approximately 81-95% of the systems\n      Oracle                          Yes                  Yes\n                                                                          running this software\n      Other: Wireless/PDA                                               - Rarely, or, on approximately 0-50% of the systems\n                                      Yes                  Yes\n      and SQL                                                             running this software\n\n      Comments: During FY 2006, DOT published additional baseline configuration standards for software products. In addition,\n      DOT's Office of Chief Information Officer (OCIO) identified 117 DOT systems to be tested for compliance with its baseline\n      configuration standards, and required OAs to complete the compliance checks and report the testing results by early September\n      2006. Nine OAs that were responsible for 36 of 117 systems submitted their test results. Our review was based on this\n      submission. However, we found deficiencies in this submission that are detailed in our audit report.\n\n\n\n\nExhibit A. OIG INPUT TO FISMA REPORT\n\x0c                                                              Question 7\n\n      Indicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include\n      comments in the area provided below.\n\n                     The agency follows documented policies and\n          7.a.       procedures for identifying and reporting                                         Yes\n                     incidents internally.\n\n                     The agency follows documented policies and\n          7.b.       procedures for external reporting to law                                         Yes\n                     enforcement authorities.\n\n                     The agency follows defined procedures for\n                     reporting to the United States Computer\n          7.c.                                                                                        Yes\n                     Emergency Readiness Team (US-CERT).\n                     http://www.us-cert.gov\n\n      Comments: In FY 2006, DOT TCIRC has reported over 500 security incidents to US-CERT and was praised as a diligent and\n      responsive federal agency in reporting incidents.\n\n\n                                                              Question 8\n\n                     Has the agency ensured security training and\n                     awareness of all employees, including\n                     contractors and those employees with significant\n                     IT security responsibilities?\n\n                     Response Choices include:\n                     - Rarely, or, approximately 0-50% of employees\n                       have sufficient training                           - Mostly, or approximately 81-95% of employees have\n           8\n                     - Sometimes, or approximately 51-70% of                sufficient training\n                       employees have sufficient training\n                     - Frequently, or approximately 71-80% of\n                       employees have sufficient training\n                     - Mostly, or approximately 81-95% of\n                       employees have sufficient training\n                     - Almost Always, or approximately 96-100% of\n                       employees have sufficient training\n\n\n                                                              Question 9\n\n                     Does the agency explain policies regarding peer-\n                     to-peer file sharing in IT security awareness\n           9                                                                                          Yes\n                     training, ethics training, or any other agency\n                     wide training?\n\n\n\n\nExhibit A. OIG INPUT TO FISMA REPORT\n\x0c                                                                                 24\n\n\n\nEXHIBIT B. SCOPE AND METHODOLOGY\nDuring FY 2006, we fulfilled the requirements of FISMA by reviewing the\nprogress made in securing FAA\xe2\x80\x99s air traffic control systems, the unique challenge\nin recertifying 50 percent of the DOT systems\xe2\x80\x99 security, the security of the\nconsolidated IT infrastructure, the validation that OAs systems are configured\naccording to security standards, and the implementation of IT capital planning and\ninvestment control procedures. In addition, we sampled 14 systems that had\nundergone system security reviews to determine whether the OAs had complied\nwith Government and DOT standards in assessing system risks, identifying\nsecurity requirements, testing security controls, and accrediting systems to support\nbusiness operations.\n\nWe assessed DOT\xe2\x80\x99s progress in correcting weaknesses identified in last year\xe2\x80\x99s\nFISMA review and contributed to DOT\xe2\x80\x99s FISMA report by rating DOT progress\nin areas specified by OMB.\n\nWe used the audit methodologies recommended by the Government\nAccountability Office and guidelines issued by other Government authorities such\nas NIST. We also used commercial scanning software to assess network\nvulnerabilities.\n\nWe performed our information security review work throughout FY 2006,\nfocusing on FISMA evaluation between July and September 2006 at DOT and OA\nHeadquarters offices in the Washington, DC, metropolitan area. This performance\naudit was conducted in accordance with Generally Accepted Government\nAuditing Standards prescribed by the Comptroller General of the United States\nand included such tests as we considered necessary to detect fraud, waste, and\nabuse.\n\nPrevious audit reports on DOT\xe2\x80\x99s information security program issued in response\nto the FISMA legislative mandate (formerly the Government Information Security\nReform Act [GISRA]) include:\n\nDOT Information Security Program, FI-2006-002, October 7, 2005;\nDOT Information Security Program, FI-2005-001, October 1, 2004;\nDOT Information Security Program, FI-2003-086, September 25, 2003;\nDOT Information Security Program, FI-2002-115, September 27, 2002; and\nDOT Information Security Program, FI-2001-090, September 7, 2001.\n\n\n\n\nExhibit B. Scope and Methodology\n\x0c                                                                          25\n\n\n\nEXHIBIT C. DOT OPERATING ADMINISTRATIONS AND SYSTEM\nINVENTORY COUNTS\nOperating Administration                      Acronym   FY 2005   FY 2006\n\nFederal Aviation Administration                FAA        271       263\n\nFederal Highway Administration                 FHWA        24        23\n\nFederal Motor Carrier Safety Administration   FMCSA        19        22\n\nFederal Railroad Administration                FRA         21        22\n\nFederal Transit Administration                 FTA          9         6\n\nMaritime Administration                       MARAD        13        12\n\nNational Highway Traffic Safety               NHTSA        18        18\nAdministration\n\nOffice of the Secretary                        OST         52        43\n\nPipeline and Hazardous Materials Safety       PHMSA         4         5\nAdministration\n\nResearch and Innovative Technology             RITA        17         9\nAdministration\n\nSaint Lawrence Seaway Development             SLSDC         1         1\nCorporation\n\nSurface Transportation Board                   STB          2         2\n\n   Total Systems                                          451       426\n\n\n\n\nExhibit C. DOT Operating Administrations and System Inventory\nCounts\n\x0c                                                                  26\n\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                   Title\n\nEd Densmore                            Program Director\nNathan Custer                          Project Manager\nDr. Ping Z. Sun                        Project Manager\nMichael Marshlick                      Computer Science Adviser\nMichael P. Fruitman                    Communications Adviser\nVictoria La Rock                       Senior Auditor\nJim Mallow                             Senior Auditor\nLynn Dowds                             Senior Auditor\nTim Roberts                            Senior Auditor\nMitchell Balakit                       Information Technology\n                                       Specialist\nAaron Nguyen                           Computer Scientist\nNarja Hylton                           Auditor\nChristopher Cullerot                   Information Technology\n                                       Specialist\nVasily Gerasimov                       Information Technology\n                                       Specialist\nMartha Morrobel                        Information Technology\n                                       Specialist\nAnn Moles                              Information Technology\n                                       Specialist\n\n\n\n\nExhibit D. Major Contributors to This Report\n\x0c"